Cyber Essentials,explained

What Cyber Essentials is

Cyber Essentials is a UK certification scheme, backed by the government and run under the National Cyber Security Centre (NCSC). It is deliberately a baseline: five technical controls that block the bulk of commodity, internet-based attacks, rather than a full management system.

That simplicity is the point. It is a quick, recognised first step, and it is frequently a requirement for UK public-sector contracts.

The five controls

• Firewalls: control the traffic in and out of your networks and devices.
• Secure configuration: remove or disable unnecessary functionality and default accounts.
• Security update management: keep software supported and patched promptly.
• User access control: manage accounts, apply least privilege, and protect admin access.
• Malware protection: defend devices with anti-malware, allow-listing, or sandboxing.

Cyber Essentials vs Cyber Essentials Plus

Both cover the same five controls. The difference is how they are assured. Cyber Essentials is a self-assessment questionnaire that is independently verified. Cyber Essentials Plus adds a hands-on technical audit, where an assessor tests that the controls are actually in place. Plus carries more assurance weight with buyers.

How it relates to ISO 27001

Cyber Essentials is a baseline of five technical controls; ISO 27001 is a full information-security management system. The five themes are a subset of what ISO 27001 covers, so Cyber Essentials is a sensible quick win, and the work carries over if you go on to pursue ISO 27001 later.

How to get certified

1. 1Confirm the scope: the devices, users, and networks in your assessment.
2. 2Implement the five controls and gather evidence that they are in place.
3. 3Complete the verified self-assessment for Cyber Essentials.
4. 4Book the hands-on assessment if you need Cyber Essentials Plus.
5. 5Recertify annually, keeping the evidence current in between.